Leaked report shows United Nations suffered hack

An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by The Associated Press, says that dozens of servers were “compromised” at its offices in Geneva and Vienna.

Those include the U.N. human rights office, which has often been a lightning rod of criticism from autocratic governments for its calling-out of rights abuses.

One U.N. official told the AP that the hack, which was first detected over the summer, appeared “sophisticated” and that the extent of the damage remained unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.

The level of sophistication was so high that it was possible a state-backed actor might have been behind it, the official said.

There were conflicting accounts about the significance of the incursion.

“We were hacked,” U.N. human rights office spokesman Rupert Colville. “We face daily attempts to get into our computer systems. This time, they managed, but it did not get very far. Nothing confidential was compromised.”

The breach, at least at the human rights office, appears to have been limited to the so-called active directory – including a staff list and details like e-mail addresses – but not access to passwords. No domain administration’s account was compromised, officials said.

U.N. spokesman Stephane Dujarric said in an e-mail that the attack “resulted in a compromise of core infrastructure components” at the U.N. offices in Geneva and Vienna, and was “determined to be serious.”

In an e-mail response, he wrote that the servers in Geneva that were targeted were part of a “development environment and contained non-sensitive, test data from two development servers used for web application development.”

“There is no indication that data was exfiltrated from Vienna,” he wrote. The U.N.’s Vienna office is home notably to the U.N.’s Office on Drugs and Crime.

Dujarric said the world body does not have enough information to determine who might have been behind the incursion, but added “the methods and tools used in the attack indicate a high level of resource, capability and determination.

“The damage related to this specific attack has been contained, and additional mitigation measures implemented,” Dujarric wrote. “Nevertheless the threat of future attacks continues, and the United Nations Secretariat detects and responds to multiple attacks of various level of sophistication on a daily basis.”

The internal document from the U.N. Office of Information and Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at the sprawling United Nations offices in Geneva and Vienna. Three of the “compromised” servers belonged to the Office of the High Commissioner for Human Rights, which is located across town from the main U.N. office in Geneva, and two were used by the U.N. Economic Commission for Europe.

Jake Williams, CEO of data firm Rendition Infosec and a former U.S. government hacker, said of the U.N. report: “The intrusion definitely looks like espionage.”

He noted that accounts from three different domains were compromised. “This, coupled with the relatively small number of infected machines, is highly suggestive of espionage,” he said after viewing the report.

“The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them,” he added.

The report indicated that 22 accounts were compromised, including domain admins — the log-in level used by administrators. It also showed logs that would have betrayed the activities of the hackers inside the U.N. networks were “cleared.”

Williams said the report showed the hackers eliminated evidence of what they may have taken through the bulk erasure of network logs. But by doing so, they left their tracks. The most skilled hackers – including U.S., Russian and Chinese agents —can cover their tracks by editing those logs instead of wiping them clean.

Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the Internet, re-write passwords and ensure the systems were clean.

The hack comes amid rising concerns about computer or mobile phone vulnerabilities, both for large organizations like governments and the U.N. as well as for individuals and businesses.

Last week, U.N. human rights experts asked the U.S. government to investigate a suspected Saudi hack that may have siphoned data from the personal smartphone of Jeff Bezos, the Amazon founder and owner of The Washington Post, in 2018. On Tuesday, the New York Times’s bureau chief in Beirut, Ben Hubbard, said technology researchers suspected an attempted intrusion into his phone around the same time.

The United Nations, and its human rights office, is particularly sensitive, and could be a tempting target. The U.N. High Commissioner for Human Rights, Michelle Bachelet, and her predecessors have called out, denounced and criticized alleged war crimes, crimes against humanity and less severe rights violations and abuses in places as diverse as Syria and Saudi Arabia.

Dozens of independent human rights experts who work with the U.N. human rights office have greater leeway – and fewer political and financial ties to the governments that fund the United Nations and make up its membership – to denounce alleged rights abuses.

The U.N. document highlights a vulnerability in the software program Microsoft Sharepoint, which could have been used for the hack.

Matt Suiche, a French entrepreneur based in Dubai who founded cybersecurity firm Comae Technologies, said that based on the report from September: “It is impossible to know if it was a targeted attack or just some random internet scan for vulnerable SharePoints.”

But the U.N. official, speaking to The Associated Press on Tuesday, said that since then, the intrusion appeared sophisticated.

“It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” the official said. “There’s not even a trace of a clean-up.”